If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Comment

Yes ,but secure boot is bad standard because they cannot see the difference between a operating system installed by the user and a virus.

Nonsense, it was never meant to, plus it's impossible to do really. Is bash a bad standard because it doesn't write it's own scripts?

What it does is ask weather X binary object contains a valid signature based on the keys in it's database, and loads it conditionally based on the answer. So far as I can tell, it is at least a passable standard for what it actually is mean to do.

Comment

Nonsense, it was never meant to, plus it's impossible to do really. Is bash a bad standard because it doesn't write it's own scripts?

What it does is ask weather X binary object contains a valid signature based on the keys in it's database, and loads it conditionally based on the answer. So far as I can tell, it is at least a passable standard for what it actually is mean to do.

A security feature has the purpose to protect the users and not restrict them.

Even a trusted software from user does not have a key,the system should create a exception system to install the software ,like browsers do.The browser asks the user about the exception.

Comment

A security feature has the purpose to protect the users and not restrict them.

Even a trusted software from user does not have a key,the system should create a exception system to install the software ,like browsers do.The browser asks the user about the exception.

Just because someone implements feature in a bad way doesn't mean that feature or standard is bad. Abuse is no argument against proper use. There's absolutely nothing in the standard which would prevent the addition of exceptions or new public keys into the firmware by an end user. Some providers likely will, some won't. Vote with your wallet.

Comment

Just because someone implements feature in a bad way doesn't mean that feature or standard is bad. Abuse is no argument against proper use. There's absolutely nothing in the standard which would prevent the addition of exceptions or new public keys into the firmware by an end user. Some providers likely will, some won't. Vote with your wallet.

The user cannot create exceptions on secureboot.Ex:Ubuntu and fedora need to create keys.
Using public keys is not a exception because it needs a cenrtificate authority.

NOTICE: Typically the size of one X509 certificate is ~2k, which may exceed
the default maximum variable size. Please adjust the value by PCD if
needed.

9. Set a platform policy of image verification by PCDs.
User can customize platform policy of image verification by PCD value
before build a platform. In [PcdsFixedAtBuild] section of SecurityPkg.dec
file, set the PCD value for each type of device accordingly.

For example, if the platform policy is defined as:
1) Trust all images from OptionROM.
2) Validate all images from removable devices and deny execute when security
violation occurs.
3) Validate all images from hard disk and query user to make decision when
security violation occurs.

Comment

They do not need to. Ubuntu/Canonical have made their own key for their bootloader/kernel to be able to run on machines with Secure Boot and the Ubuntu key. Fedora has bought the right to use a Microsoft key, just for convenience, because basically every motherboard will ship with this key. This way they don have to convince the hardware manufacturers to use their key, unlike Canonical.